Chapter 4 ? Hash Functions1

1
Overview

• Cryptographic hash functions are functions that
• Map an arbitrary-length (but finite) input to a
  fixed-size output
• Are one-way (hard to invert)
• Are collision-resistant (difficult to find two
  values that produce the same output)
• Examples
• Message digest functions - protect the integrity
  of data by creating a fingerprint of a digital
  document
• Message Authentication Codes (MAC) - protect both
  the integrity and authenticity of data by
  creating a fingerprint based on both the digital
  document and a secret key

2
Checksums vs. Mess. Digests

• Checksums
• Used to produce a compact representation of a
  message
• If the message changes the checksum will probably
  not match
• Good accidental changes to a message can be
  detected
• Bad easy to purposely alter a message without
  changing the checksum
• Message digests
• Used to produce a compact representation (called
  the fingerprint or digest) of a message
• If the message changes the digest will probably
  not match
• Good accidental changes to a message can be
  detected
• Good difficult to alter a message without
  changing the digest

3
Hash Functions

• Message digest functions are hash functions
• A hash function, H(M)h, takes an
  arbitrary-length input, M, and produces a
  fixed-length output, h
• Example hash function
• H sum all the letters of an input word modulo
  26
• Input a word
• Output a number between 0 and 25, inclusive
• Example
• H(Elvis) ((E L V I S) mod
  26)
• H(Elvis) ((51222919) mod 26)
• H(Elvis) (67 mod 26)
• H(Elvis) 15

4
Collisions

• For the hash function
• H sum all the letters of an input word modulo
  26
• There are more inputs (words) than possible
  outputs (numbers 0-25)
• Some different inputs must produce the same
  output
• A collision occurs when two different inputs
  produce the same output
• The values x and y are not the same, but H(x) and
  H(y) are the same

5
Collisions - Example

• H(Jumpsuit) 25
• (J U M P S U I T)
  mod 26
• (102113161921920) mod 26
• 129 mod 26
• 25
• H(TCB) 25
• (T C B) mod 26
• (2032) mod 26
• 25 mod 26
• 25

6
Collision-Resistant Hash Functions

• Hash functions for which it is difficult to find
  collisions are called collision-resistant
• A collision-resistant hash function, H(M)h
• For any message, M1
• It is difficult to find another message, M2 such
  that
• M1 and M2 are not the same
• H(M1) and H(M2) are the same

7
One-Way Hash Functions

• A function, H(M)h, is one-way if
• Forward direction given M it is easy to compute
  h
• Backward direction given h it is difficult to
  compute M
• A one-way hash function
• Easy to compute the hash for a given message
• Hard to determine what message produced a given
  hash value

8
Message Digest Functions

• Message digest functions are collision-resistant,
  one-way hash functions
• Given a message it is easy to compute its digest
• Hard to find any message that produces a given
  digest (one-way)
• Hard to find any two messages that have the same
  digest (collision-resistant)

9
Using Message Digest Functions

• Message digest functions can be used to protect
  data integrity
• A company makes some software available for
  download over the World Wide Web
• Users want to be sure that they receive a copy
  that has not been tampered with
• Solution
• The company creates a message digest for its
  software
• The digest is transmitted (securely) to users
• Users compute their own digest for the software
  they receive
• If the digests match the software probably has
  not been altered

10
Attacks on Message Digests

• Brute-force search for a collision
• Goal
• Find a message that produces a given digest, d
• Assume
• The message digest function is strong
• The message digest function creates n-bit digests
• Approach
• Generate random messages and compute digests for
  them until one is found with digest d
• Approximately 2n random messages must be tried to
  find one that hashes to d

11
Attacks on MDs (cont)

• Birthday attack (based on the birthday paradox)
• Goal
• Find any two messages that produce the same
  digest
• Assume
• The message digest function is strong
• The message digest function creates n-bit digests
• Approach
• Generate random messages and compute digests for
  them until two are found that produce the same
  digest
• Approximately 2n/2 random messages must be tried
  to find one that hashes to d

12
The Secure Hash Algorithm

• The Secure Hash Algorithm
• A Federal Information Processing Standard (FIPS
  180-1) adopted by the U.S. government in 1995
• Based on a message digest function called MD4
  created by Ron Rivest
• Developed by NIST and the NSA
• Input a message of b bits
• Output a 160-bit message digest

13
SHA - Padding

• Input a message of b bits
• Padding makes the message length a multiple of
  512 bits
• The input is always padded (even if its length is
  already a multiple of 512)
• Padding is accomplished by appending to the
  input
• A single bit, 1
• Enough additional bits, all 0, to make the final
  512-bit block exactly 448 bits long
• A 64-bit integer representing the length of the
  original message in bits

14
SHA Padding Example

• Consider the following message
• M 01100010 11001010 1001 (20 bits)
• To pad we append
• 1 (1 bit)
• 427 0s (427 bits)
• 64-bit binary representation of the number 20 (64
  bits)
• Result
• Pad(M) 01100010 11001010 10011000 00000000 . .
  . 00000000 00010100 (512 bits)
• 464 0s have been omitted above (denoted by the
  ellipsis)

15
SHA Constant Init.

• After padding, constants are initialized to the
  following hexadecimal values
• Five 32-bit words
• H0 67452301
• H1 EFCDAB89
• H2 98BADCFE
• H3 10325476
• H4 C3D2E1F0
• Eighty 32-bit words
• K0 K19 5A827999
• K20 K39 6ED9EBA1
• K40 K59 8F1BBCDC
• K60 K79 CA62C1D6

16
SHA Step 1

• The padded message contains a whole number of
  512-bit blocks, denoted B1, B2, B3, . . ., Bn
• Each 512-bit block, Bi, of the padded message is
  processed in turn
• Bi is divided into 16 32-bit words, W0, W1, . .
  ., W15
• W0 is composed of the leftmost 32 bits in Bi
• W1 is composed of the second 32 bits in Bi
• W15 is composed of the rightmost 32 bits in Bi

17
SHA Step 2

• W0, W1, . . ., W15 are used to compute 64 new
  32-bit words (W16, W17, . . ., W79)
• Wj (16 lt j lt 79) is computed by
• XORing words Wj-3, Wj-8, Wj-14, and Wj-16
  together
• Circularly left shifting the result one bit
• for j 16 to 79
• do
• Wj Circular_Left_Shift_1(Wj-3 ? Wj-8 ? Wj-14 ?
  Wj-16)
• done

18
SHA Step 3

• The values of H0, H1, H2, H3, and H4 are copied
  into five words called A, B, C, D, and E
• A H0
• B H1
• C H2
• D H3
• E H4

19
SHA Step 4

• Four functions are defined as follows
• For (0 lt j lt 19)
• fj(B,C,D) (B AND C) OR ((NOT B) AND D)
• For (20 lt j lt 39)
• fj(B,C,D) (B ? C ? D)
• For (40 lt j lt 59)
• fj(B,C,D) ((B AND C ) OR (B AND D) OR (C AND
  D))
• For (60 lt j lt 79)
• fj(B,C,D) (B ? C ? D)

20
SHA Step 4 (cont)

• For each of the 80 words, W0, W1, . . ., W79, a
  32-bit word called TEMP is computed
• The values of the words A, B, C, D, and E are
  updated as shown below
• for j 0 to 79
• do
• TEMP Circular_Left_Shift_5(A) fj(B,C,D) E
  Wj Kj
• E D D C C Circular_Left_Shift_30(B) B
  A A TEMP
• done

21
SHA Step 5

• The values of H0, H1, H2, H3, and H4, are
  updated
• H0 H0 A
• H1 H1 B
• H2 H2 C
• H3 H3 D
• H4 H4 E

22
SHA - Overview

• Pad the message
• Initialize constants
• For each 512-bit block (B1, B2, B3, . . ., Bn)
• Divide Bi into 16 32-bit words (W0 W15)
• Compute 64 new 32-bit words (W16, W17, . . .,
  W79)
• Copy H0 - H4 into A, B, C, D, and E
• For each Wj (W0 W79) compute TEMP and update
  A-E
• Update H0 - H4
• The 160-bit message digest is H0 H1 H2 H3 H4

23
Motivation for Message Authentication Codes

• Want to use a message digest function to protect
  files on our computer from viruses
• Calculate digests for important files and store
  them in a table
• Recompute and check from time to time to verify
  that the files have not been modified
• Good if a virus modifies a file the change will
  be detected since the digest of that file will be
  different
• Bad the virus could just compute new digests for
  modified files and install them in the table

24
Message Authentication Codes

• A message authentication code (MAC) is a
  key-dependent message digest function
• MACK(M) h
• The output, h, is a function of both the hash
  function and a key, K
• The MAC can only be created or verified by
  someone who knows K
• Can turn a one-way hash function into a MAC by
  encrypting the hash value with a symmetric-key
  cryptosystem

25
Using MAC

• MAC can be used to protect data integrity and
  authenticity
• Want to use a MAC to protect files on our
  computer from viruses
• Calculate MAC values for important files and
  store them in a table
• Recompute and check from time to time to verify
  that the files havent been modified
• Good if a virus modifies a file the hash of that
  file will be different
• Good virus doesnt know the proper key so it
  cant install new MACs in the table to cover its
  tracks

26
Implementing a MAC

• Can use a block cipher algorithm
• Pad the message (if necessary) so that its length
  is a multiple of the ciphers block size
• Divide the message into n blocks equal in length
  to the ciphers block size
• m1, m2, . . ., mn
• Choose a key, k
• Encrypt m1 with k
• XOR the result with m2
• Encrypt the result with k
• XOR the result with m3

27
Implementing a MAC (cont)

28
Summary

• Message digests
• Message digest functions are collision-resistant,
  one-way hash functions
• Collision-resistant hard to find two values that
  produce the same output
• One-way hard to determine what input produced a
  given output
• Protects the integrity of a digital document
• MAC
• A message authentication code is a key-dependent
  message digest function
• The output is a function of both the hash
  function and a secret key
• The MAC can only be created or verified by
  someone who knows the key
• Protects the integrity and authenticity of a
  digital document